DOD lifts ban on USB drives

The Defense Department has lifted its 15-month-old ban on USB drives and other portable media, a restriction that had made life difficult for DOD personnel.

The ban was issued in November 2008 by the U.S. Strategic Command after a virus, a variation of the SillyFDC worm, was found to be spreading through military networks by copying itself from one removable drive to another. The ban covered all forms of USB flash media, such as thumb drives, memory sticks and cards, and camera memory cards, as well as some other removable media.

However, the drives are useful for storing and transferring data, particularly in field locations with little or no bandwidth, so DOD officials began looking for ways to lift the restriction.

Navy Department Chief Information Officer Robert Carey wrote in his blog in October 2009 that his staff was working with a team from the Defense-wide Information Assurance Program to establish the minimum requirements for network security, in anticipation of lifting the ban.

“Although policy and processes were in place to facilitate the safe use of USB flash media, they were not being followed,” Carey wrote. “Unfortunately, it was our bad IT hygiene that resulted in the ban of this all too flexible use of storage media.”

However, Carey wrote, removable drives were too useful to allow the ban to continue for too long. “Such media provide a simple, inexpensive, reusable and ubiquitous means for transferring information between computers and servers on both public and private networks,” he wrote. “USB flash media are often used for deploying operating system patches, antivirus updates, and other large data transfers in bandwidth constrained environments,” such as aboard ships and in deployed areas.

Tom Conway, director of federal business development for security company McAfee, said new rules for using removable media would likely accompany the lift of the ban.

“Based on how the military is looking at [information technology] in general, there is going to be a lot more accountability,” he said. That could include control over who is allowed to use the devices, steps to ensure they are used in compliance with security practices, and enforcement if the devices are used improperly, he said.

“It’s a prudent first step,” Conway said. “But it’s not the only thing they can do.” He said portable flash drives are available with biometric authentication in addition to password protection, and some can be used with DOD’s Common Access Cards. He said DOD could establish defensewide security standards, but allow individual units, such as those in deployed areas, to increase security levels if needed.

In December, McAfee and Northrup Grumman signed a $9.7 million contract to secure 5 million DOD desktop and notebook PCs and servers via a host-based security system, which provides a top-level view of cybersecurity.

The lift of the ban was first reported by InsideDefense.com (subscription required). Wired magazine reported that the ban had been lifted on all forms of removable media.

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

inside gcn

Reader Comments

Tue, Aug 19, 2014
DKM

Many units handled the threat and were an exception to the ban by using USB port control solutions like DeviceLock to limit access of removable USB media to authorized personnel using only authorized (whitelisted) devices by their model or device numbers. Most CD-DVD use was either blocked or mitigated to read-only as well.

Mon, Mar 1, 2010
Fort Monmouth, NJ

In response to Thursday post. I do not consider it an over reaction. We became lazy and started to relied too much on USB thumbdrives........storing and copying everything under the sun. We disregarded our annual (IA) Information Assurance refresher training. We should only use USBs as a last resort, as the article implies, where there is no bandwidth and no other means of getting the data, information transported. Now some services, agencies, commmands, also, banned "CD/DVD" storage...then you really had a problem. For me, it made me less lazy and I considered alternatives methods. I hope the ban had the effect on everyone else.

Thu, Feb 25, 2010

Note it took 18 months for this over-reaction to the poor practices of some to be lifted. It will take at least another 18 months for most Commands to figure out what to do. We will never go back to thumb drives being as ubiquitous (and flexible foraiding data transfer) as they once were.

Wed, Feb 24, 2010

Now this should be interesting how long it takes for mangement to allow the information to trickle down to the workforce. I rember when the flashdrive was removed; I lost many important memos and electronic documents.

Tue, Feb 23, 2010

Be careful ... the USB Thumb drive I found in January at a BWI parking lot comes to mind. The good thing ... it only contained 100's of Steelers photos.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.